The number of successful cyberattacks per year per company has increased by 46% over the last four years. But what really needs to be considered when exploring a solution? What questions need to be asked? Download to find out...

Bad Rabbit: Ransomware linked to NotPetya hits Russia and Ukraine

Targeted attack uses similar methods to NotPetya

A NEW STRAIN OF RANSOMWARE dubbed 'Bad Rabbit' has begun to spread in Russia and Ukraine, initially targeting government and media institutions. Infections have also been seen in Turkey and Bulgaria, but the scope of the spread is still unclear.

The malware has affected systems at three Russian websites, including news services Interfax and Fontanka.ru; an airport in Ukraine; and an underground railway in Kiev.

Kaspersky and British IT security company ESET have both mentioned links to NotPetya but could not confirm whether the two strains were related.

Kaspersky said: "Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr [Kaspersky's name for NotPetya] attack. However, we cannot confirm it is related to ExPetr."

Rik Ferguson, VP of security research at Trend Micro, tweeted that the ‘outbreak' has been blown out of proportion.

Bad Rabbit spreads itself through downloads, requiring a target to take action to install the ransomware - which takes the form of a bogus Adobe Flash installer.

Only targets of interest are being infected so far, with We Live Security noting: "One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file.

"Server side logic can determine if the visitor is of interest and then add content to the page. In that case, what we have seen is that a popup asking to download an update for Flash Player is shown in the middle of the page."

Once installed, the ransomware can move laterally within a network using SMB - similar to NotPetya.

Malwarebytes said that the two strains were probably prepared by the same authors: "Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn't use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria)."

SentinelOne's chief security consultant, Tony Rowan, told us: "This latest outbreak confirms that attackers will reuse old code as long as it still has success. Indications are that this new variant continues to have success."

Interestingly, Malwarebytes says that Bad Rabbit does not use EternalBlue to spread, while Rowan thinks it does. We have gone back to both for more information.

If they are infected, users are redirected to a TOR domain where they are asked to pay .05 Bitcoin (about $280), with a countdown to an increase in price. It is not yet clear whether users will get their files back or if, like NotPetya, they will simply be destroyed. Infected users have been advised not to pay the ransom.

Researcher Kevin Beaumont discovered that the author(s) appear to be fans of Game of Thrones; BadRabbit creates scheduled tasks named after Daenerys Targaryen's dragons, Drogon, Rhaegal and Viserion, as well as a reference to the Unsullied fighter Grey Worm (very different to the skin disease greyscale).

BadRabbit creates two scheduled tasks, named after the dragons from Game of Thrones. Also a reference to GrayWorm, the skin disease in GoT. pic.twitter.com/BfQxGrMwC0